The secret requirements list

You perhaps believe that you can read which requirements apply in the laws and standards for medical device manufacturers like ISO 13485 or 93/42/EEC, and to an extent that’s true. But to an increasing extent I’m encountering requirements that notified bodies and authorities have set which aren’t documented anywhere. These requirements are much more difficult to be aware of. Some of these “requirements” may in some cases not even be legitimate requirements that must be fulfilled. I call this “The secret requirements list”. It contains the requirements that the regulatory bodies only make known to us by letting us know we have done something wrong or have non-conformity, but there is no standard or regulation requiring it.

I think it shouldn’t be like this. It should be possible to read what applies before an authority tells you that they have a requirement that you’re not fulfilling. It also leads to non-conformities, and the root cause analysis can be very strange: “the requirement was completely unknown to us and we didn’t know we had to fulfil it”.

Below is a list of some requirements that I have experienced that I cannot find support for in regulations/standards. Please note, I am not trying to say that the requirements below are all bad, my point is just that there does not seem to be any way of finding these requirements documented somewhere.

Secret requirements Note/comment
Internal audits shall cover the whole quality management system in no more than 3 years. Notified body in Europe
If you change address you have to perform an internal audit on manufacturing before a new certificate is issued. Health Canada
You need to maintain records of what you send to translation agencies for translation. Notified body in Europe
You need to have records of sending your license renewal application to Health Canada. Notified body
Voluntary standards (not harmonized or recognized consensus standards) shall be considered under management review. Notified body in Europe
You have to perform internal audits every year. Notified body
You need to have at least one management review meeting per year. Notified body
Classification according to Annex 9 of 93/42/EEC shall be part of Design and development inputs. Notified body

P.S.: If you believe that any of the requirements listed above are actually included in any governing document, please let me know through the contact form.

Do you want to know more?

My ambition is to collect as much information as possible about the requirements set by authorities/notified bodies which you can’t know about before you’re faced with a non-conformity. If like me, you feel that this development of “unknown” requirements is alarming and you have experienced the same thing, help me disclose “The secret requirement list” by submitting your own examples that you have experienced. I will keep you posted on how this goes in the future so that you can learn more about the “secret requirements”. You can remain completely anonymous but if you like to receive future information on this topic, you will have to submit your email address.

  • Describe what the requirement was from the notified body or competent authority that you can not find documentation on in any applicable norm or standard.